Under normal circumstances, a comprehensive security management system is most commonly a four-layer structure, which consists of the overall policy and strategy of network security work, various security management operating procedures and security configuration specifications, and various recording forms.
First-level document : Security strategy : clarify the mission and will, clarify the overall security goals, scope, principles and security framework, etc., establish the work operation mode, etc.
Secondary documents: Management system: Standardizes the behaviors that should be followed at each stage and link of the construction, development, operation, maintenance, upgrade and transformation of the information system.
Level 3 documents: Operating specifications: Specific operating steps and methods for each item, which can be a manual, a flow chart, or an implementation method.
Level 4 documents: Record forms: daily operation and maintenance records, approval records, meeting minutes and other documents.
Taking Class III Level 3 as an example, the list of systems and documents required under normal circumstances is as follows:
file level |
Classification |
document content |
first level document |
security strategy |
Security strategy overview |
secondary documents |
Management System |
Management system for formulation, release and maintenance of management system |
safety management agency |
Safety organization and job responsibility management system |
|
Authorization and approval system |
||
Safety audit and inspection system |
||
.... |
||
safety manager |
Management systems for personnel recruitment, departure, assessment, etc. |
|
Management system for personnel safety education and training |
||
External personnel management system |
||
.... |
||
Safety construction management |
Management system for project implementation process management |
|
Management system for product selection and procurement |
||
Management system for testing, acceptance and delivery |
||
Software development management system |
||
Code writing security practices |
||
Outsourcing software development management system |
||
...... |
||
Security operation and maintenance management |
Office environment management system |
|
Computer room safety management system |
||
Asset safety management system |
||
Media security management system |
||
Equipment safety management system |
||
Network system security management system |
||
Malicious code prevention management system |
||
Password management system |
||
configuration management system |
||
change management system |
||
Backup and recovery management system |
||
Security incident management system |
||
Emergency plan management system (including various special emergency plans) |
||
...... |
||
Level 3 documents |
Configuration specifications |
Configuration baselines for network/security devices, operating systems, databases, etc. |
Operation Manual |
Application software design program files |
|
Software User Guide |
||
Source code documentation |
||
Operation and maintenance manual (process form/diagram, implementation method) |
||
...... |
||
Level 4 documents |
Records, forms |
System formulation and modification records |
Various approval records |
||
training record |
||
meeting minutes |
||
Safety checklist, safety inspection report, etc. |
||
Safety management position personnel information form |
||
Network security outreach unit communication and cooperation contact form |
||
confidentiality agreement |
||
Critical Position Security Protocol |
||
Personnel recruitment and resignation records |
||
Authorization and approval records for modification, update and release of program resource library |
||
Project implementation plan |
||
Test acceptance plan, records, etc. |
||
Security test report |
||
delivery list |
||
Service provider contracts, agreements, etc. |
||
Security assessment records of service providers |
||
External Personnel Access Registration Approval Form |
||
External person access registration record form |
||
Non-disclosure Agreement for Outsiders |
||
Purchase requisition approval form |
||
Asset list |
||
Application form for scrapping of assets subject to level protection |
||
Equipment exit strip |
||
Equipment maintenance record sheet |
||
Cyber Security Incident Reporting Form |
||
System exception event handling records |
||
Emergency Response Approval Form |
||
Vulnerability scanning and risk assessment reports |
||
Malicious code inspection records, virus disposal records |
||
Data backup, recovery test and other records |
||
Daily operation and maintenance forms and records |
||
System change plan and approval records |
||
Emergency drills and training records |
||
...... |
Enterprises can make choices and adjustments based on their own circumstances. For example, if they do not have their own development team, they do not need a software development management system and code writing safety regulations; if customized software development is entrusted to an outsourcing team, an outsourcing development management system is required.